Create CA

Generate CA key

Generate RSA key, keysize = 2048, encrypt the key by des3

openssl genrsa -des3 -out server.CA.key 2048

Remove password of key (it can be rename to pem file)

openssl rsa -in server.CA.key -out server.CA.nopass.key
cp server.CA.nopass.key server.CA.pem

Generate a Certificate Signing Request for CA

openssl req -verbose -new -key server.CA.key -out server.CA.csr -sha256

Create default required dirs for load CA

mkdir -p ./demoCA/newcerts
touch ./demoCA/index.txt
echo '1000' > ./demoCA/serial

Self-sign CA certificate, now server.CA-signed.crt can be public

openssl ca -extensions v3_ca -out server.CA-signed.crt -keyfile server.CA.key -verbose -selfsign -md sha256 -enddate 20870919235959Z -infiles server.CA.csr

View certificate info

openssl x509 -noout -text -in server.CA-signed.crt

Convert CRT to PEM

openssl x509 -in server.CA-signed.crt -out server.CA-signed.pem -outform PEM

convert PEM to DER format

openssl x509 -inform PEM -outform DER -in server.CA-signed.pem -out server.CA-signed_der.crt

view DER certificate info

openssl x509 -in server.CA-signed_der.crt -text -inform der

Signing a CSR file by CA

Generate web server key

openssl genrsa -des3 -out server.apache.key 2048

Generate a Certificate Signing Request for web server

openssl req -verbose -new -key server.apache.key -out server.apache.csr -sha256

Sign web server certificate by x509 using CA certificate

openssl x509 -req -days 360 -in server.apache.csr -CA server.CA-signed.crt -CAkey server.CA.key -CAcreateserial -out server.apache.crt